April 17th, 2004, 07:27 PM
ZoneAlarm possible vulnerability
A new vulnerability has been discovered and slightly tested concerning the email protection in ZoneAlarm. Feel free to try this and comment on your findings.
Some languages contain letters with roof characters (c - è, s - š, z -
ž). If the name of e-mail attachment has any of these letters, it will allow any type of file attachment to bypass the firewall and bypass being quarantined. This will allow attackers to email .exe attachments without ZA picking it up and quarantineing it.
Zone Labs has been notified but has not responded as of yet.
Vulnerability originally discovered by Damjan Kreft.
Planet Maddness Industries
April 17th, 2004, 07:32 PM
Couple of questions:
1. When did you notify them? (How long has it been since they haven't replied)
2. Which ZoneAlarm product specifically does this affect as I don't recall the free version checking email.
April 17th, 2004, 07:38 PM
They were notified on or before April 14th by Damjan Kreft. He has not stated if he has been contacted concerning this.
Versions have been said to be any version utilizing email protection.
I myself have not tested this. I bring it to the community for anyone that wishes to test this and if found to be true, take furthurs actions to be sure they are protected properly.
April 17th, 2004, 08:49 PM
The free version does have "e-mail protection" but I believe that it looks for .vbs scripts only.
I have also been hearing that several mail/spam filters fall for accented characters, I don't have any details, but I did clean out a hotel computer a few days ago and noticed that a lot of the "body parts enhancements" and "performance enhancing drugs" spams had those characters in them.
It struck me as odd at the time but now it makes sense.
Thanks for clearing that puzzle up for me.
April 17th, 2004, 09:12 PM
Spam filters are _definitely_ failing on accented characters..... They recently started using them a lot..... and they are coming through like no-one's business.... Waiting for my spam server to update..... My organizations shouldn't get any really so I can block them without really getting any false positives.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
April 17th, 2004, 09:57 PM
wow did'nt know that ,deos that prevent my mcafee email virus scanning from detecting the worm or virus
April 17th, 2004, 11:15 PM
This is a spam issue going by what I have seen? I believe that your anti virus software will still do its job, as it is not really looking at the header, it is looking at message bodies and attachments.
AFAIK there is no virus that arrives in the message header.
Spam filtering is usually based on the content (or lack of content) of the header. Up until this recent trend, this was quite adequate, and to scan the body or attachments would take too much additional resource?
For example, if I filter for "viagra"...........an accent over the "i" or "a" makes it a different word, so it gets through.
The problem is that some filters do not support accented characters, so you cannot add them to the filter. Also this has started recently, so admins who have filters that do support this have been caught unawares.
It's a war I am afraid mate